Prevent/Fix: Microsoft Baseline Security Mode has automatically trigger Entra Conditional Access policy creation

Between November 2025 and February 2026, Microsoft Baseline Security Mode automatically created two disabled draft Entra Conditional Access policies in some tenants. This is not a security issue, requires no action, and a fix will remove unintended drafts and prevent automatic creation.

Problem detected: Microsoft Baseline Security Mode has automatically triggers Entra Conditional Access policy creation

Customers who accessed Baseline Security Mode in Microsoft 365 between November 2025 and early February 2026 might see two draft Microsoft Entra ID Conditional Access policies created in their tenant in a Disabled state. These policies are associated with Baseline Security Mode and might appear as created by the administrator who signed in to the Microsoft Baseline Security Mode page.

[How this will affect your organization:]

This behavior doesn't represent a security incident and has no effect on tenant security. The policies are in a disabled draft state. 

[What you need to do to prepare:]

There's no action needed to prepare. A fix has rolled out to ensure policies are created only through explicit administrator action. Any unintentionally created policy drafts will be removed as part of addressing this issue. 

[Learn more about Microsoft Baseline Security Mode]
Baseline Security Mode: https://learn.microsoft.com/en-us/microsoft-365/baseline-security-mode/baseline-security-mode-settings?view=o365-worldwide